0 Replies Latest reply on Nov 3, 2008 8:09 AM by HarryWaldron

    Win32/Sinowal - MBR Rootkit with Password stealer impacts 500,000 accounts

      Users should ensure their AV protection is up-to-date, as a new variant of this highly stealth rootkit was launched during late October. Approximately 510,000 bank and credit card accounts have been impacted based on analysis so far. Removal of MBR based malware is always difficult and may ultimately require a complete reformatting of the hard drive and reinstallation of all software. It appears to spread through web based exploits, and users should be cautious with weblinks in email or sites that they visit.

      Win32/Sinowal - MBR Rootkit with Password stealer impacts 500,000 accounts
      http://voices.washingtonpost.com/securityfix/2008/10/virtual_bank_heist_nets_500 000.html

      QUOTE: A single cyber crime group has stolen more than a half million bank, credit and debit card accounts over the past two-and-a-half years using one of the most advanced strains of computer spyware in existence, according to research to be published today. The discovery is among the largest stolen data caches ever recovered.

      HOW IT SPREADS: When an unsuspecting Windows user visits one of these sites, the code left on the site tries to install the Trojan using one of several known Web browser security holes, such as vulnerabilities found in popular video and music player plug-ins like Macromedia Flash and Apple's QuickTime player.

      IMPACT: RSA investigators found more than 270,000 online banking account credentials, as well as roughly240,000 credit and debit account numbers and associated personal information on Web servers the Sinowal authors were using to set up their attacks

      REMOVAL IS COMPLEX: Sinowal also is unique in that hides in the deepest recesses of a host computer, an area known as the "Master Boot Record." The MBR is akin to a computer's table of contents, a file system that loads even before the operating system boots up. According to security experts, many anti-virus programs will remain oblivious to such a fundamental compromise. What's more, completely removing the Trojan from an infected machine often requires reformatting the system and wiping any data stored on it.

      Additional information below:

      Win32/Sinowal - Rootkit based Password stealer
      http://blogs.technet.com/antimalware/archive/2008/01/10/mbr-rootkit-virtool-winn t-sinowal-a-report.aspx
      http://www.microsoft.com/security/portal/Entry.aspx?name=VirTool:WinNT/Sinowal.A
      http://www.infoworld.com/article/08/01/09/New-rootkit-uses-old-trick-to-hide-its elf_1.html
      http://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99
      http://vil.nai.com/vil/content/v_143908.htm

      QUOTE: Win32/Sinowal is a family of password-stealing and backdoor trojans. These trojans may try to find a cryptographic certificate on the infected computer and install a certificate on the computer to mislead users in Secure Sockets Layer (SSL) Web transactions. Some Win32/Sinowal components may also use advanced stealth functionality, or try to perform certain operations from the context of a trusted process such as explorer.exe in order to bypass local software-based firewalls.